You are here

Beware of Skype

On Sunday, August 5, 2007 Bush signed the revised Foreign Intelligence Surveillance Act (FISA) into law, in which the U.S. Congress spinelessly caved in and gave legal authority to the Bush administration to continue to intercept and spy on electronic communications. Then, on Thursday, August 16, 2007 the whole worldwide Skype network goes down. Coincidence? I think if you use Skype, you should now be very, very, concerned about the privacy of your calls and had better start considering using FOSS alternatives.

The revised FISA exposes Americans to broad surveillance without court approval. In part, the bill permits surveillance without warrants on telephone calls and e-mails between the United States and foreign locations in which the foreign participant is suspected of terrorist links. The bill also permits spying without warrants on communications strictly between foreign parties but routed through U.S. equipment.

In fact, the government has already been caught with its fingers illegally deep in the cookie jar of electronic communications when it was revealed that the NSA had set up a spying operation run out of an ATT San Francisco fiber optic network switching center. Of course, the government admits none of this, but the ACLU filed suit to get information on the government’s operations, and the FISA court recently ordered the government to turn over the information the ACLU requested by August 31, 2007. See details of that here: ACLU Suit.

Often the government doesn't seem to have much reticence to engage in outright illegal spying; the question now is what will they do with the cover of legal authority? I think we just saw an example of what to expect from them with the Skype incident.

Now, according to this Arstechnica article which references this Skype blog the alleged “culprit” for the worldwide Skype outage was the massive restart of PCs caused by the (simultaneous?) rebooting of computers which had recently undergone the standard Windows patching process called Patch Tuesday.

The article further states: “Normally Skype’s peer-to-peer network has an inbuilt ability to self-heal, however, this event revealed a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly.” Oh yes...

Skype also had to include the obligatory: “We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk”. While Skype “can confirm categorically” the problem didn’t emanate from malicious user activity, what about malicious U.S. government activity, or with the help of Skype?

The Skype network has been a concern of government intelligence agencies since its inception because it provides a worldwide network of encrypted VoIP calls to potential “terrorists”. So how coincidental is it that 10 days after Bush signs into law a Bill giving the government authority to track foreign calls that go through U.S. networks that Skype, for the first time in its existence, undergoes a massive worldwide outage?

Personally, I am not buying Skype’s story. Since Skype is a proprietary commercial enterprise, it doesn’t allow for open source auditing of their code; so they can tell us anything without providing any independent means of verification. And I put nothing past the people in the government to deliberately compromise it.

And for all you skeptics out there, the most interesting comment was the last sentence of the article, stating Skype was “attempting to get clarification on why previous Windows Updates did not cause similar problems in the past”.

Yes, indeed.

But there are FOSS alternatives to Skype people really should start considering now. One is the OpenWengo Project. Businesses, and even individuals, should also consider setting up their own Asterisk servers with encryption.

However, I think the ultimate answer to privacy on the net is to never assume the network you are using isn’t being tapped, and rely on client-to-client encryption as provided with tools such as Phil Zimmerann’s Zfone Project. When this becomes standard and ubiquitous, we will then have secure phone-to-phone communication, similar in function to a VPN for the internet.

So, you can call me anything you want, but if you call me on Skype I’m going to assume Dick Cheney is listening.

Comments

While I'm skeptical about the theories presented in this article, I do think that they are gaining traction and it might be considered an appropriate response from Skype to provide more detail concerning what precisely went wrong.

do you actually understand the complexity of adding another layer on a p2p software like skype?
and btw skype is owned by ebay/paypall do you really think they would undermine the security of their users. imagine the consequences for their business...

This past week it was widely reported the government finally publicly admitted that major phone companies (ATT, Verizon, el al) had voluntarily opened up their networks to allow spying on them.

The Bush regime has a track record of breaking the law and then covering it up and lying about it. And then when it's caught redhanded it claims it was done in the name of "national security." The question then become which Nation. Certainly not This Nation which has a Constitution which prohibits this dictatorial declaration of Executive Authority, these officials allegedly take an oath to protect, uphold, and defend.

But Skype doesn't need to change the fundamentals of its P2P network to aide the government. All it has to do are things like the following:

1) Allow tracking or tracing of calls through its P2P network by the government.

2) Allow for PC-to-PC calls to have unencrypted channels so that they can be listened to, while the regular calls proceed encrypted as as normal to users, unknown to them.

3) Allow the government to have access to Skype's users database.

4) Allow the government to block certain calls from connecting, or to terminate then when the government wants.

5) Allow the government to make calls to people at will, for nefarious reasons.

6) Allow the government to have backdoor hooks into all future upgrades to Skpye's client software, and more importantly, to their server platforms.

Only fools, fellow fascists, or FUD fakes, would summarily believe, defend, or promote, ANYTHING this government would say about not spying on people, in the face of its clear and growing documented record of abuses.

How many people wanna bet that sometime in the not so far off future it will be revealed that Skype too had been compromised in some way by the government, or at their request?

Skype relies on the fact that it uses a closed source protocol with a very tight control over the servers hosting the user db. Spying on calls is not really as easy as the article infers it to be but it is possible. If there is a direct route between 2 nodes then the connection is not routed through the skype servers. However, there is also the option of routing all the information through the skype servers or any server that pretends to be a skype one. Hence it is possible to use some NSA servers to in a way steal skype. This would be useful to collect information about who is talking with who and when and it's possible to even record the actual conversation. And the bad thing is that given enough resources and brain power you don't really need to ask ebay for a permission to do this. There is a research paper that was published not long ago explaining how this could be potentially done. (sorry I don't have the name of the author at hand ) The conclusion was that no regular user can do this in practice but then again NSA is not a regular user ... Of course without the legislation in place all intel collected is useless and moreover illegal.

I don't really think that the NSA is spying on Skype or that my conversations are not private when I use skype. My gripe with Skype has to do with the huge memory footprint and the closed nature of the protocol. The fact that skype is the only network that I can't connect to with pidgin really bugs me and this is why i use skype only when I have no other choice. But if there was a deal between any security agency and ebay to spy on people the image of the company will not be hurt because the user will never know about it. No security agency is obligated to tell you if they are spying on you.

Good article. I think the article might have been stronger absent attempts to link recent FISA passage to Skype failings. Even if it were true, FISA is scary enough! We are increasingly aware of other illegal domestic wire tapping. Here is one example: http://www.nytimes.com/2007/08/26/opinion/26sun2.html?_r=1&oref=slogin. So, Jabari is right. It is a excellent idea to consider how to better protect civil liberties using free software. Thanks for the links!

i thought that this was explained, windows update, which yes there was one on that date, as i watched it happen, everyone restarted, fuckton and a half of log in requests sent at once, that will and can can overload servers, Skype goes down.

I'm about tired of the Bush hate, i don't support the man, but god damn now we're just making nonsensical connections here people

Edw - why assume all terrorists speak Arabic? The U.S. seems to have plenty of home grown anarchists and terrorists of it's own. For me FISA is just one more nail in the coffin for U.S. Foreign relations. Here in Europe, we don't trust U.S. foreign policy any more. Over 60 years of loyalty between the E.U and U.S. have been undermined by Bush Sn and Bush jr treating every other nation like a small pet. U.S policy in Iraq has set up another century of civil war in Iraq. Time to stop acting like dictators.

Well, I can't say that I find this article very credible. It's a post-hoc fallacy. Fact A occurred before fact B, therefore fact B must be a consequence of fact A. No proof whatsoever is presented regarding the connection between Skype's breakdown and US Government intervention. That is not to say that you can't be right, what do I know?